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Who am I? 
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• Breaking things 

• Laser tag 

• Cats 
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Interests 



The Story 

INSPIRATION 
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The Setting 



Post pentest drinks with client 



• ... So if you own the active directory server 
what exactly can you do? 



• The norm, control of every user, 
ability to push policy updates, etc... 

• Exchange can remotely wipe devices, 
so why not that too? 
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Inspiration 




Do we really need exchange for that though? 



Maybe we just send the phone those 
commands directly 



THAT COULDN 




POSSIBLY WORK 
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Surely not.. 



It couldn't be that easy could it? 



Surely SSL would prevent this if nothing 
else. 



Maybe it uses some sort of secure 
exchange, shared secrets, 
something... 
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AN EXPERT OPINION 



I had a talk with a Microsoft Exchange A 
admin type person... 




"It should work fine, as long as SSL is 
disabled" 



Damn.. Well, lets try it out anyway! 




TIME TO GET STARTED 
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Exchange! 




• Let's get some packet dumps of a legit wipe 
operation 

• Exchange can't be that hard to install right? 



I've done postfix & sendmail before.. 
• Crap. 
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had hanging around 
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Packet Sniffing - Provisioning 



POST /Microsoft -Server- Act iveSync ?Cmd= &DeviceType=Android HTTP/1 . 1 

Content -Type: application/vnd .ms-sync . wbxml 

Authorization : Basic ZnVja2VyeS5mdWNrXGRpcnQ6cGFzc3dvcmQxMjMk 

MS-ASProtocolVersion: 12.0 

Connection : keep-alive 

User-Agent: Android/0.3 

X-MS-PolicyKey: 358347207 

Content-Length : 13 

Host: 192.168.1.218 

HTTP/1.1 449 Retry after sending a PROVISION command 

Cache -Control : private 

Content-Type: text/html 

Server: Microsoft -IIS/7. 5 

MS -Server- Act iveSync : 14.0 

X-AspNet-Version: 2.0.50727 

X-Powered-By : ASP.NET 

Date: Tue, 08 May 2012 07:08:22 GMT 

Content-Length : 54 



The custom error module does not recognize this error. 
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Packet Sniffing - Wipe 



POST /Mic rosoft- Server- Act iveSync?Cmd=Provision&User= &DeviceType=Android HTTP/1. 1 

Content -Type: application/vnd .ms-sync . wbxml 

Authorization : Basic ZnVja2VyeS5mdWNrXGRpcnQ6cGFzc3dvcmQxMjMk 
MS-ASProtocolVersion: 12.0 
Connection : keep-alive 
User-Agent: Android/0.3 
X-MS-PolicyKey: 
Content-Length : 41 
Host: 192.168.1.218 

. . j . . . EFGH.MS-EAS-Provisioning-WBXML HTTP/1.1 200 OK 

Cache -Control : private 

Content -Type: application/vnd .ms-sync .wbxml 
Server: Mic rosoft -IIS/7. 5 
MS -Server- Act iveSync : 14.0 
Date: Tue, 08 May 2012 07:00:04 GMT 
Content-Length: 123 

. . j. . .EK.l. .FGH. MS- EAS-Provisioning-WBXML. .K.l. .1.2761868790. .DMN.0. 
V.8. . .X.l. . .Z.0 
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Binary Protocols 
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Decoded 



<Provision> 

<Status>K/Status> 
<Policies> 
<Policy> 

<PolicyType>MS-EAS-Provisioning-WBXML</PolicyType> 
<Status>K/Status> 
<PolicyKey>2761868790</PolicyKey> 
<Data> 

<EASProvisionDoc> 

<DevicePas sword Enabled >0</DevicePas sword Ena bled > 

<AlphanumericDevicePasswordRequired>0</AlphanumericDevicePasswordRequired> 
< Pas sword Recovery Enabled >0< /Pa s swordRecovery Ena bled > 
<DeviceEn crypt ion Enabled >0</DeviceEncrypt ion Ena bled > 
<AttachmentsEnabled>K/Attachments Enabled > 
<MinDevicePas sword Length >4</MinDevicePas sword Length > 
<MaxInactivityTimeDeviceLock>900</MaxInactivityTimeDeviceLock> 
<MaxDevicePas sword FailedAttempts>8</MaxDevicePas sword Fa iledAttempts> 
<MaxAttachmentSize /> 

<AllowSimpleDevicePas sword >l</AllowSimpleDevicePas sword > 
<DevicePasswordExpiration /> 

<DevicePasswordHi story >0</DevicePasswordHistory> 
</EASProvisionDoc> 
</Data> 
</Policy> 
</Policies> 
<RemoteWipe /> 
</Provision> 




The Backg 
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Structure 
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<DevicePassword Enabled >0</DevicePassword Enabled > 

<AlphanumericDevicePasswordRequired>0</AlphanumericDevicePasswordRequired> 
<PasswordRecovery Enabled >0</PasswordRecovery Enabled > 
<DeviceEncryption Enabled >0</DeviceEnc rypt ion Enabled > 
<AttachmentsEnabled>K/AttachmentsEnabled> 
<MinDevicePas sword Length >4</MinDevicePas sword Length > 
<MaxInactivityTimeDeviceLock>900</MaxInactivityTimeDeviceLock> 
<MaxDevicePas sword FailedAttempts>8</MaxDevicePas sword FailedAttempts> 
<MaxAttachmentSize /> 

<AllowSimpleDevicePassword>l</AllowSimpleDevicePassword> 
<DevicePasswordExpiration /> 

<DevicePasswordHistory>0</DevicePasswordHistory> 
</EASProvisionDoc> 
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Targets 
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MiTM 



WiFi is cool, phones have WiFi 

ARP Poisoning 

Pineapple 



The Dance 

LETS WIPE 
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Step 1: Request 



• Accept connection 

• Use a shonky self signed SSL cert 
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C 



Step 2: Provision 



• Send HTTP error 449 




1 



i 
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Step 3: Wipe 



• Send policy push containing wipe command 




• Celebrate. 
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• Oh no © 

• Lets hope this works. 
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Demo Time 



Future Work 
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Compulsory OSS Project: Protocol Library 



Emulate ActiveSync Protocol 

Allow for projects to interact with mobile 
clients in new ways 

Translation layer between exchange clients 
and other servers 

Lots of things! 
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Lofty Goal: Data Theft 



Wouldn't it be nice if we could get data back 
off the phones 



Remote backup functionality 



Sync features 




Hopefully possible! 
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Lofty Goal: Ongoing Access 



What sort of configuration options can we 
set? 



Anything undocumented? 



Can we reconfigure the device to 
point at another server? 



Conclud 
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• Andrew Kitis 

• Rob McKnight 

• Randal Adamson 

• Sid 

• Murray Brand 

• Clinton Carpene 

• #nodavesclub 

• #cduc 

• #kiwicon 
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Thanks! 



Thanks for Listen 

ANY QUESTIONS?! 



